Perfect Privacy escreveu:
> The problem is that we have a public OpenVPN service. Pay €9.95 and you
> get an OpenVPN account at currently half a dozen of servers for a
> month. This means there are always and will always be some people who
> create a certain amount of abuse or trouble. On the long run, the
> external IP every OpenVPN user gets assigned is prohibited from editing
> Wikipedia, it might be banned by e-gold and on some popular webforums,
> one-click-hosters, etc. Not a pleasant experience for the 97% of our
> customers who use our service responsibly and legitimately to regain
> their privacy.
>
A simple question ...... usually people uses OpenVPN to allow
external users to access some private network, for database access,
ERP/internal systems and such. It seems that you're forwarding INTERNET
traffic as well through the VPN tunnel.
The question is .... is it really necessary, in your case, to
forward INTERNET traffic as well as your internal traffic ?
I'm supposing your users are reaching your OpenVPN service through
internet, so maybe the best way is to let them access internet 'by
theirselves', simple not forwarding ALL traffic through the VPN tunnel,
probably the 'redirect-gateway' parameter in your server.
Is that an option in your situation ?
> Assigning all 11 available external IPs "randomly", "arbitrarily" or
> "sequentially" at the same time would only be a bonus. I wonder if it's
> possible at all.
>
You can do this with iptables nat POSTROUTING rules. This has really
nothing to do with OpenVPN. OpenVPN doesnt know about what's internal
and what's internet traffic. OpenVPN does not your NAT stuff. It simply
route things securely. If you need some NAT complex situation, iptables
is the place to do it.
You can simply do:
iptables -t nat -A POSTROUTING -s ip.vpn.network.0/24 -j SNAT --to
your.external.ip.1-your-external.ip.10
that would make connections to be distributed over those IP
addresses. But note you can and probably will have new problems with
that. Systems that uses IP addresses for security reasons, for example,
making the external ip of the user as part of the session informations,
can brake with that. Of course translated ip wont change on the SAME
connection, but http is made of a LOT of connections, so ip may change
between different connections and that can brake some sessions on
internet banking and stuff, for example.
you will have problems with systems that uses ip addresses to
allow/deny something in different protocols, pop-before-smtp for
example. User would pop3 with one address and maybe reach smtp with
another external addresses, thus not being allowed to forward their mail
because that ip hasnt been 'seen' in the pop3 service.
Also you should note that you dont have too many IP addresses. 11
addresses is not a few but not that much as well. Changing the external
IP, randomize it or anything else would be just a workaround that will
continue to give you problems when your 11 external IP addresses have
been 'badly used'.
it's possible, but it will bring different problems.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@xxxxxxxxxxxxxx
My SPAMTRAP, do not email it
____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users